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Abstract — Some hard problems from lattices, like LWE (Learn- 
ing with Errors), are particularly suitable for application in 
Cryptography due to the possibility of using worst-case to 
average-case reductions as evidence of strong security properties. 
In this work, we show two LWE-based constructions of zero- 
knowledge identification schemes and discuss their performance 
and security. We also highlight the design choices that make our 
solution of both theoretical and practical interest. 

I. Introduction 

A. Identification Schemes 

A zero-knowledge protocol can be employed as a way 
of demonstrating the knowledge of a secret without actually 
revealing it. Several instantiations of this idea have been 
proposed since the seminal work of Fiat and Shamir H. The 
code-based constructions of Stern llOl and Veron ifTTll have 
recently been adapted to the lattice domain, as seen in the work 
of Kawachi, Tanaka and Xagawa |5|, and Cayrel, Lindner, 
Riickert and Silva In the present work, we propose al- 
ternative lattice-based zero-knowledge constructions, using as 
security assumption the hardness of the LWE Problem, defined 
below. As seen with several other lattice hard problems, 
LWE exhibits worst-case to average-case reduction, which is 
a very interesting property for cryptographic systems because 
it increases one's confidence that a random instance of the 
system is indeed hard to break. 

B. The LWE Problem 

The Learning with Errors (LWE) problem was first pro- 
posed by Regev in [SI as an extension of the so-called Learn- 
ing from Parity with Noise (LPN) problem. The search version 
of LWE can be regarded, roughly speaking, as the problem of 
recovering a secret s given a "noisy linear equation" of the 
form As w y mod q. More formally, we can state LWE as 
follows |8|: 



LWEq^^ as the problem of recovering the secret s (with 
high probability) given an arbitrary number of samples from 
Ag.^. The decision version of LWEq^^ is the problem of 
distinguishing Ag samples from the uniform distribution on 
X Zg. For q — 2 this is the well-known LPN problem. 

In recent years, the LWE problem has often been used as 
the basis of many cryptographic constructions due to its strong 
security properties such as the decision-to-search and average- 
to-worst-case reductions. Moreover, if x is the "discrete Gaus- 
sian" distribution with standard deviation aq > Ij^pn, the 
hardness of LWE is proven to be related to the worst case of 
some well known lattice problems such as GAPSVP and SVIP, 
which are believed to be secure even under quantum attacks. 
For practical applications, it is worth considering the "ideal" 
version of LWE, or ring-LWE, in which the entries of a are 
the coefficients of polynomials in the ring Z^/ (x" + 1), the 
"anticyclic" ring. This approach allows faster matrix-vector 
multiplications due to Fast Fourier Transforms and reduced 
keys of size equal to Oin) elements of Zg. Also, a reduction 
from the approximate version of SVP on ideal lattices to the 
search version of ring-LWE under certain assumptions on x 
(what leads to a non-spherically distributed error) was recently 
published |7|. 

It is worth noting that LWE is closely related to the SIS 
problem, which is that of finding a small integer solution 
X for the equation Ax — mod q (or Ax = y mod q for 
the inhomogeneous SIS). Concerning identification schemes, 
some of them are built upon SIS and its version on ideal 
lattices [2]. An ID-scheme based on a slight modification 
of LWE is proposed in |12| but it is not clear whether 
this modification preserves LWE hardness. Thus, the schemes 
proposed in this work are, to our knowledge, the first ones 
with security based on the hardness of LWE. 



Definition I.l (Learning with Errors) Let q be a prime C. Auxiliary Primitives 



number and x ^ probability distribution on Zg. Given a secret 
s G Z^\ we denote by A.s^x probability distribution on 
Zg X Zg obtained by choosing a vector a S Zg uniformly 
at random, choosing e S Zg according to x> <^nd outputting 
(a, (a, s) + e mod q). We define ( the search version of) 
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Definition 1.2 (Hamming isometry 11^, s) Let T, be a per- 
mutation q/ {1, . . . , n} and 7 = (71, . . . , 7„) G Fg such that 
7i 7^ 0,Vi. We define the transformation 11^, s the mapping 
F^, taking v to 7s(i)Ws(i), • • ■ , 7s(n)Ws(n)- 

This transformation scales through the multiplication by 
a scalar and preserves the Hamming weight. That is. 



Va e ¥q and Vv e we have n^^E(av) = 

an^^s(v) and wt(n^^s(v)) = wt(v). 

D. Notation and Conventions 

• Vh, Ph - honest Verifier, honest Prover 

• Vc, Pc - cheating Verifier, cheating Prover 

• y, P' - arbitrary Verifier, arbitrary Prover 

• wt - Hamming weight 

• II - string concatenation 

• com - string commitment function 

• reductions - the operations in our protocols involve mod- 
ular reduction by q. 

$ 

• i — S - choose uniformly at random from set S 

• -f^ S - choose at random from set S with distribution 
X according 

• Sn - set of permutations over {1, . . . , n} 

• > - comment in pseudo code 

• = - check if an equality holds 

II. Our LWE-based Scheme 
A. Version with 2/3 soundness error 
1 ) Key-Generation Algorithm: 



1 


procedure KEYGEN(n, m, q) 


2 


A ^ F^^", s ^ e ^ F^. 


3 


b ^ As + e 


4 


p -(r- wt(e) 


5 


> (A, h,p) is the public key 


6 


> (s, e) is the private key 


7 


return {(A, b,p), (s, e)} 


2) Identification Algorithm: 


1 


procedure IdentificationCtt,, m, q) 


2 


{(A, b,p), (s, e)} 4- KEYGEN(n, TO, q) 


3 


> Prover 


4 


u F'^", 7 ^ F'g" with 7, 7^ 0, Vi 


5 




6 


> Compute the commitments 


7 


ci ^ com(n^^E; i"i) 


8 


C2 com(n^_s(A(u + s)); 


9 


C3 ^ com(n^,s(Au + b); rs) 


10 


> Send the commitments to the Verifier 


11 


> Verifier 


12 


ch^ {1,2,3}. 


13 


> Send the challenge ch to the Prover 


14 


> Prover 


15 


> Open the commitments to the Verifier 


16 


if ch = 1 tlien 


17 


send ri, r2, u + s and n^,E 


18 


else it ch — 2 tlien 


19 


send r2, ra, n^^E(A(u + s)) and ll-y 


20 


else if c/i = 3 then 


21 


send ri,r3,n^ 5] and u 


22 


> Verifier 


23 


> Check the commitments 


24 


if c/i = 1 then 



25: check that ci and C2 are correct. 

26: else it ch = 2 then 

27: check that C2 and C3 are correct; 

28: check that wt(n^^s(e)) = p. 

29: else it ch = 3 then 

30: check that Ci and C3 are correct. 

31: if all the checks were correct then 

32: return "success" 

33: else 

34: return "failure". 



B. Properties 

In this section we prove the properties of completeness, 
soundness and zero-knowledge of our identification scheme. 

a) Completeness: 

Proof: Knowing the secret values (s,e), an honest Prover 
Ph has all the information needed in order to compute the 
commitments and answer the challenges that enable the honest 
Verifier Vh to ascertain the validity of the commitments and 
the parameters from which they were obtained. Both parties 
have access to the public parameters: {A, b, goto}. Thus, 

Pr (Identification Algorithm (P/j, Vh) = "success") — 1 

□ 

b) Soundness: 

Now we show that a cheating Prover Pc cannot deceive an 
honest Verifier Vh with probability strictly greater than 2/3 
without breaking the security assumptions upon which the 
Identification Algorithm is built. 

Theorem II.l If Vh accepts a proof from P^ with probability 
>{lY + e, with e non-negligible, then there exists a polyno- 
mial time probabilistic machine M which, with overwhelming 
probability, either computes a valid secret pair (s,e) or finds 
a collision in the commitment scheme. 

Let us suppose, by absurd, that the cheating Prover Pc is 
able to get accepted with probability > (|)'' + e, with e non- 
negligible. Similarly to the proof technique applied by Veron 
ifTTl . we show that, either a collision has been found in the 
underlying commitment scheme or we can find in polynomial 
time a set of commitments to which the cheating Prover 
Pc is able to provide answers that enable the Verifier Vh 
to re-compute them, retrieving the private secret (s,e), thus 
violating the hardness of the LWE problem. 

Let us use subscripts {a, b, c} to denote the answers given 
to challenges {1,2,3}. 

If one is able to find collisions in the commitment scheme, 
then it is possible to come up with different answers that 
reproduce the same set {01,02,03}. 

In the other case, prover Pc is supposed to provide answers 
so that the equalities below are satisfied: 

n7a,s„ = n^e.s,, for ci; 

n^j,,Sb (A(ub + Sb)) = n^a,s„ (A(ua + Sa)) for C2; 

n^j,,S6(A(ub+Sb))+n^b,S6(eb) = n^,,s,(Auc+b) for C3. 



From these, one can derive the secret parameters as follows: 

S ^ (Ua + Sa) - Uc; 

Let now RA denote the random tape from which Prover Pc 
obtains the elements necessary to compute the commitments 
and answers, and let Q be the set {0,1,2} from which the 
Verifier Vh obtains his/her challenges. Denote by (/, g) G 
{RA X Q) a pair chosen uniformly at random from these sets. 
We consider such a pair to be valid, that is (/, g) g Valid, 
when it leads to a result equal to "success" after r rounds of 
execution. We have assumed in the beginning of this proof 
that the cardinalities of the sets involved are such that 

cia-d{Valid) /2y 
card(i?yl x Qf ~ [sj 

One can reason with the pigeonhole principle to characterize 
the ability of the prover Pc to answer to strictly more than two 
challenges for any set of commitments. It can be modeled as 
follows. Let ilr e RA'' such that 

. When / e ilr, we have 2^ + 1 < card(.g) < 3% with 
if,g) e Valid 

, When / £ RA''\nr, we have < card(5) < 2^, with 

(/, g) e Valid 
Hence, 

caid{Valid) card(f^^) /2y 

card((i?yl x QY) " card(i?^'-) ^ \3j 

From the assumption in this proof, 

card(fir) ^ 
card(i?A'') ~ 

By resetting the cheating Prover Pc an average number of 
times equal to 1 /e, it is possible to find an execution instances 
such that he has to answer to three different challenges for the 
same set of commitments. With that, we would have obtained 
in polynomial time a solution for any LWE instance. □ 

c) Zero-Knowledge: 
Let us build a simulator S that mimics the communication 
tape between the Prover P and the Verifier V, and then show 
that it cannot be statistically distinguished from a real tape. 
Let us call {P,V) the real communication tape, and {P',V') 
its simulation. We assume that there is access to the verifier V 
as a black box: it is fed with the public parameters and gives 
as response a challenge. 
1: procedure Simulator(A, n, m, q, r) 
2: ch' i — {1, 2, 3} \> predict the challenge. 

3: 7 ^ F'g" with 7j 7^ 0, Vi e {1, . . . , to} 
4: S ^ S„^, u' ^ F'^", e' ^ F^, with wt(e') = p 

5: n ^ {0, 1}", r2 ^ {0, 1}", ra ^ {0, 1}" 

6: if ch' = 1 then > prepare {ci, C2} 

7: Solve y satisfying Ay = b — e' 

8: Compute Ci ^ com(n^^s; Ti) 

9: Compute C2 ^ com(n-y^s(^y; r2)) 



10: C3 i — Image of com 

11: else if ch' = 2 then > prepare {02,03} 

12: Solve s' satisfying As' = b — e' 

13: C2 ^ com(n^,s(^(u' + s')); r-^) 

14: C3 <~ COTO(n^,E(Au' + b); r3) 

15: Ci i — Image of com 

16: else > prepare {ci, C3} 

17: Ci com(n^^5];ri) 

18: C3 com(n^_x;(^u' + b); r3) 

19: C2 < — Image of com 

20: ch ^ y(ci, 02,03). 

21: a ch and ch' are different then 
22: rewind V' and goto step 2 

23: else 

24: Open the commitments and save the messages. 

25: r -i— r — 1 

26: if r > then 
27: Go to Step 2. 



The values chosen by the simulator in order to compute 
the commitments follow the same distribution as that from 
a real execution. The statistically hiding property of the 
commitment scheme com conceals the fact that some of the 
commitments were just taken as random values, instead of 
actually computed via the application of com to some set of 
parameters. Therefore, the transcript of the simulation above 
is statistically indistinguishable from what would have been 
obtained from a real execution of the protocol, proving that it 
has the property of statistical zero-knowledge. □ 

C. Version with 1/2 soundness error 

Cayrel, Veron and El Yousfi f3l proposed an identification 
scheme with soundness error approximately 1/2, using the 
hardness of syndrome decoding over q-ary code as security 
assumption. 

Here, we revisit their construction, adapting the core proto- 
col to work over LWE. We also suggest the use of a lattice- 
based string commitment scheme [l], aiming at applying 
a single security assumption: the hardness of LWE. These 
changes allowed us to obtain aa scheme whose security is 
based on a problem for which there is a quantum reduction 
from worst-cases of hard lattice problems [9 J. In order to speed 
up the operations involving multiplications with matrices and 
vectors, as well as reducing memory footprint, we adopt the 
use of rings. LZJ 

1} Key Generation Algorithm: 
1: procedure KEYGEN(n, TO, q) 



2: A^F^^", sf^F^', ef^F^ 

3: b <— As + e 

4: Compute A-'- such that AA-'- = 

5: y ^ A^e; p <~ wt(e) 

6: i> (A, A-'-, y, b,p) is the public key 

7: i> (s, e) is the private key 

8: return {(A, A-L,y,b,p), (s,e)} 



Unless stated otherwise, the random choices assume that the 



distribution is uniform. In order to hide the private parameters 
involved in the messages exchanged between the Prover and 
the Verifier, we use three mechanisms: 

i a computationally binding and statistically hiding com- 
mitment scheme, denoted by com; 

ii a weight-preserving transformation H-^ as defined in 

im 

iii a blinding sum with a random factor uniformly chosen. 
2) Identification Algorithm: 

1: procedure lDENTiFiCATiON(n, m, q) 



2: {(A,A^,y,b,p),(s,e)} ^ Key Gen {n,m,q) 

3: > Prover 

4: U 

5: 7 with 7, 7^ 0,Vi 

6: S ^ 5„ 

7: > Compute the commitments 

8: ci com(7 II S II A-'-u;ri) 

9: C2 com(n^,s(u) II n^,s(e);r2) 

10: > Send the commitments to the Verifier 

11: > Verifier 

12: a ^ Zg. 

13: Send a to the Prover. 

14: > Prover 

15: Respond with /3 -s— n.^_s(u + ae) 

16: > Verifier 

17: Send a challenge ch E {1,2} 

18: > Prover 

19: > Open the corresponding commitment 

20: it ch — 1 then 

21: respond with ri,7, S 

22: else it ch = 2 tlien 

23: respond with r2,n.y s(e) 

24: > Verifier 

25: > Check the commitments 

26: it ch ^ 1 tlien 

27: ci = com(S II 7 II A^n-is(/3) - ay; ri) 

28: else it ch ^ 2 then 

29: C2 = com(^ - an^,E(e) || n-y,s(e); r2) 

30: wt(n.^,s(e)) 

31: if all the checks were correct then 

32: return "success" 

33: else 

34: return "failure". 



D. Properties 

In this section we prove the properties of completeness, 
soundness and zero-knowledge of our identification scheme. 

a) Completeness: 
Proof: The knowledge of the secret values (s, e) enables an 
honest Prover Ph to compute the commitments and answer any 
challenge that the honest Verifier Vh may pose. Both parties 
have access to the public parameters {A^,y, com}. Thus, 

Pr (Identification Algorithm(P;i, Vh) = "success") = 1 

□ 



b) Soundness: 

The structure of the protocol is essentially that from Cayrel et 
al. 1 3 1, except for the way the commitments are computed and 
the underlying hard problem. The reasoning about the relative 
size of the sample spaces from which the random choices are 
made follow a similar line. The main difference rests in the 
way the secret keys are extracted from the commitments once 
they are opened by the Prover, as shown below. 

Theorem II.2 // Vh accepts a proof from Pc with probability 
— (^^l^y '^^th e non-negligible, then there exists a polyno- 
mial time probabilistic machine M which, with overwhelming 
probability, either computes the secret value e or finds a 
collision in the commitment scheme. 

We use subscript a to denote the values revealed upon 
reception of challenge equal to 1, and subscript h for challenge 
equal to 2. Then 

n^e,.s„ = n^b.s,, for ci, 

n^a,s„(ea) = n^b.Sbleb) for C2. 

Given that {7a, Sq} are published due to the challenge equal 
to 1, and n.^b.Sb (^b) is published due to the challenge equal to 
2, such information can be used to derive the secret parameter 
e as follows: 

From the assumption made in this proof, 

card(r2r) ^ 
card(i?A'') ~ ^' 

By resetting the cheating Prover P^. an average number of 
times equal to 1/e, it is possible to find an execution instances 
such that he has to answer to three different challenges for the 
same set of commitments. With that, we would have obtained 
in polynomial time a solution for any LWE instance. □ 

c) Zero-Knowledge: 

Let us build a simulator S that mimics the communication 
between the Prover P and the Verifier V, and then show that 
it cannot be statistically distinguished from a real tape. Let 
us call (P, V) the real communication tape, and (P', V') its 
simulation. We assume that there is access to the verifier V 
as a black box: it is fed with the public parameters and gives 
as response a challenge. 

The simulator is built as follows, using oracle access to a 
verifier V . 

1: procedure SiMULATOR(yl, 6, y,p, n, m, q, r) 
2: 7 ^ F'g" with 7, 7^ 0, Vi e {1, . . . , m} 

3: Sra, c/l' A {1, 2}, u' F^" 

4: ri^{0,l}«, r2^{0,l}« 

5: it ch' then 

6: Solve e' for A^e' = b 

7: ci com{'j II S II A^u';ri) 

8: C2 Image of com 



9: else 

10: e' ^ F^' with wt(e') = p 

11: C2 ^ coTO(n^,s(u') II n^,s(e');r2) 

12: Ci ^ — Image of com 

13: a ^ V^'(ci,C2) 

14: P ^ U^^^{u' + ae') 

15: c/l' ^ y'(ci,C2,/3) 

16: if eft. and eft' are different then 
17: rewind V' and go to step 2 

18: else 

19: Open the commitments and save the messages. 

20: r r — 1 

21: if r > then 
22: Go to Step 2. 

The values chosen by the simulator in order to compute the 
commitments follow the same distribution as that from a real 
execution. The statistically hiding property of the commitment 
scheme com conceals the fact that some of the commitments 
were just taken as random values. Therefore, the transcript 
of the simulation above is statistically indistinguishable from 
what would have been obtained from a real execution of the 
protocol, proving that it has the property of statistical zero- 
knowledge. □ 

E. Security and Performance 

1 ) Overall Soundness Error: There are two security aspects 
to be taken into account regarding the scheme: the hardness 
of the underlying LWE problem and the overall soundness 
error. The first factor is linked with the values of {n, m, q} 
and can be determined using the best known algorithm for 
solving LWE (6 \. The analysis of Lindner and Peikert address 
an encryption scheme but we believe they can be adapted to 
our setting. The second is related to the desired upper bound 
L for the probability of success for an impersonation after 
r rounds of protocol execution. It has a direct impact in the 
communication costs, given that the following condition must 
be met: 

• (2/3)'" < L for the first scheme; 

• (^5?^) — ^ ^'^^ '■^^ second scheme. 

Our system is secure under the Serial Active Model. 

2) Communication Costs: Let us calculate the average com- 
munication costs for this identification scheme. Whenever a 
random vector is supposed to be exchanged between the Prover 
and the Verifier, we send the corresponding seed from which 
the element can be obtained, assuming that both parties agree 
upon the use of a pseudo-random generator. The definition of 
the isometry H^^i: takes two seeds (one for the vector 7 and 
other for the permutation S). The number of bits of a given 
element is returned by the application of |see(i|. Therefore, 
the payload breakdown per round of execution can be seen as 
follows: 

« Commitments: 3 |eoTO| 

• Challenge: [log2 max(cft)] 

• Answer (avergage): ^ \seed\ + |(m + n) [log2 q] 



Similarly to the procedure followed with the 2/3 soundness 
error scheme, we have for the 1/2 soundness error version the 
following breakdown for the communication costs per round: 

• Commitments: 2 |eoTO| + n [log2 <z] 

« Challenges: [log2 max(cft)] + [log2 9] 

> Answer (average): 2 \seed\ + ^ [log2 q~\ 

III. Conclusion 

We have shown in this paper an adaptation for lattices 
of two zero-knowledge identification schemes originally de- 
signed with codes. Using the hardness of LWE as security 
assumption and a set of suitable parameters, we obtained 
a construction with worst-case connection with hard lattice 
problems. Through the use of ring-LWE constructions, the 
memory footprint is taken to levels similar to what could 
be obtained with ideal-SIS schemes and operations involving 
multiplication with vectors are more efficiently performed via 
EFT. Besides, the adaptations preserved much of the structure 
of the original protocols. Erom a theoretical angle, this points 
towards a possible unification of cryptographic schemes based 
on codes and lattices. 
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